If your business is migrating to or using Google’s suite of business productivity tools, you might be concerned about properly securing G Suite use. While Microsoft Office 365 still wears the cloud office productivity crown, more than five million businesses now use G Suite, and that number is growing fast. Our partners at Okta noted in their 2019 “Business @ Work” report that the number of active G Suite users grew 116 percent year over year.
Google’s growing presence in midsize and large organizations is putting a bigger spotlight on G Suite security than ever before. Overall, Google has met the challenge with a steady stream of new G Suite security features. Many third-party cloud security vendors have introduced G Suite data security offerings as well.
There are some common pitfalls that can trip up even experienced G Suite administrators, though. In this post, we’ll share our top five G Suite security mistakes, along with some tips for avoiding them.
Mistake #1: Running User Account Administration on Autopilot
G Suite includes multiple built-in user account management features. Google’s Cloud Identity offering or third-party identity-as-a-service (IaaS) offerings provide even more control. These types of tools give security admins an extensive set of security settings. However, it’s easy to make the mistake of flipping all the switches to “on” instead of carefully considering the consequences.
For example, unique passwords are a must in the “Have I Been Pwned?” era we’re living in now. But forcing users to change passwords frequently – once conventional wisdom – can cause more harm than good in many cases. In fact, even NIST now advises against such policies.
Similarly, it might be tempting to just switch all the multi-factor authentication (MFA) options to “on.” Not all 2-step verification techniques are equally effective, though. A weak MFA option is better than none at all. But SMS-based verification, for example, is much more vulnerable than security key and authenticator app approaches. In fact, Google itself has completely eliminated successful phishing attacks across its base of 85,000-plus users through security keys.
Finally, the biggest mistake that organizations make with account security is placing too much faith in their policies and controls. It’s critical to actively monitor real-time user access to your G Suite deployment and proactively identify anomalies. G Suite has several built-in account security alerts that can be enabled.
This is also an area where a third-party analysis and monitoring solution like ActiveEye can help protect users and corporate data. Over time, the ActiveEye platform learns who (and what) is going after your organization, and it can build a threat database that your analysts can add to manually. Advanced machine learning uses this data while profiling users to detect account takeover or insider threats.
Mistake #2: Overlooking Data Leakage Corner Cases
One of the things that makes G Suite so effective as a business tool is that it includes many different collaboration options. Nonetheless, each one of these features is also a possible path for data leakage. G Suite admins who are concerned about data leakage may enable Google’s data loss prevention (DLP) features on email. These capabilities can also be applied to other G Suite apps like Google Drive, Docs, Sheets, and Slides. This can be combined with boundaries and/or warnings for file sharing to prevent accidental sharing of sensitive information.
There are also less obvious corner cases for data leakage, such as Google Hangouts chats and Google Groups. For example, when you create email distribution groups, G Suite creates corresponding web-based Google Groups.
These groups can be set to private, but not doing so is an easy mistake to make. In fact, last year, researchers analyzing this problem discovered 9,600 organizations with their Google Groups set to public. Of these, about a third were found to be leaking sensitive email content.
So, this is an area where G Suite admins should be casting a wider policy net. It’s also important to monitor for DLP policy violations and anomalies in all Google apps that can share data externally.
Mistake #3: Sleeping on Third-Party Application Access
G Suite’s ability to integrate with other cloud-based applications is a major strength. G Suite has a whole marketplace of apps that can give you additional functionality. Many of these apps are also business-class applications with sound security, but you must grant each of them access to the G Suite environment. This opens up a whole new universe of risk.
That doesn’t mean that you shouldn’t allow third-party add-ins. If security best practices aren’t defined upfront, however, they can spiral out of control. The good news is that Google makes it easy to view and manage these third-party integrations in the admin console. It’s important to perform regular audits, though.
Admins can also set policies to govern app integrations and define pre-authorized application whitelists. It’s also possible to tightly manage the scope of API access for any given application.
This is another area where G Suite monitoring and anomaly detection is key. Most application integrations are predictable in how they interact with G Suite, so proactive anomaly detection capabilities can catch abuse early.
Mistake #4: Failing to Adequately Train New Users
It’s easy for organizations that use G Suite extensively to forget that the Google approach may be entirely new to some employees. In the Okta report mentioned above, 49 percent of survey respondents reported that they had never used Google Docs before.
New employees with years of relevant experience in Microsoft-centric organizations will likely be reluctant to ask for training or help. And if you throw them into the deep end without training, the results can be disastrous.
Regular training is important for seasoned G Suite users as well. Something as simple as an out-of-office message can give an attacker what they need to execute a successful business email compromise (BEC) scam.
Analyzing usage trends in audit logs and reports is a good way to identify possible user training needs.
Mistake #5: Leaving Security Audit Log Retention to Google
Longtime users of Gmail may think of Google as the “save everything” company. They don’t apply the same philosophy to security events, though. The volume of log data generated across all G Suite accounts is quite large – even by Google’s standards. As a result, they don’t provide long-term security event log retention.
In fact, the retention period for many types of G Suite audit logs is a mere six months. This may seem adequate until you consider that more sophisticated attacks may take place over months or even years. It’s also common for major breaches to be discovered a year or more after the initial compromise. So, it’s a good practice to send G Suite audit logs to an external storage system or a third-party service provider for long-term retention.
G Suite is here to stay, and it’s certainly possible for organizations with high security standards to use it effectively and securely. But G Suite admins should avoid being lulled into a false sense of security. Each feature in the G Suite security center requires careful consideration of the trade-offs between security and user experience.
It’s also important to look beyond the obvious features like email and team drive functionality when defining security policies.
And finally, security controls alone are not enough. It’s critical to have your in-house security team or a third-party partner like Delta Risk actively watching for threats and anomalies in your G Suite environment.